<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>Sanitize filters</title>
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-base.css" />
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-medium.css" />

 </head>
 <body class="docs"><div class="navbar navbar-fixed-top">
  <div class="navbar-inner clearfix">
    <ul class="nav" style="width: 100%">
      <li style="float: left;"><a href="filter.filters.validate.html">« Validate filters</a></li>
      <li style="float: right;"><a href="filter.filters.misc.html">Other filters »</a></li>
    </ul>
  </div>
</div>
<div id="breadcrumbs" class="clearfix">
  <ul class="breadcrumbs-container">
    <li><a href="index.html">PHP Manual</a></li>
    <li><a href="filter.filters.html">Types of filters</a></li>
    <li>Sanitize filters</li>
  </ul>
</div>
<div id="layout">
  <div id="layout-content"><div id="filter.filters.sanitize" class="section">
  <h2 class="title">Sanitize filters</h2>
   <p class="para">
    <table class="doctable table">
     <caption><strong>List of filters for sanitization</strong></caption>
     
      <thead>
       <tr>
        <th>ID</th>
        <th>Name</th>
        <th>Flags</th>
        <th>Description</th>
       </tr>

      </thead>

      <tbody class="tbody">
       <tr>
        <td><strong><code>FILTER_SANITIZE_EMAIL</code></strong></td>
        <td>&quot;email&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>
         Remove all characters except letters, digits and
         <code class="literal">!#$%&amp;&#039;*+-=?^_`{|}~@.[]</code>.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_ENCODED</code></strong></td>
        <td>&quot;encoded&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_STRIP_LOW</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_BACKTICK</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_LOW</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_HIGH</code></strong>
        </td>
        <td>URL-encode string, optionally strip or encode special characters.</td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_MAGIC_QUOTES</code></strong></td>
        <td>&quot;magic_quotes&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>
         Apply <span class="function"><a href="function.addslashes.html" class="function">addslashes()</a></span>.
         (<em class="emphasis">DEPRECATED</em> as of PHP 7.3.0 and
         <em class="emphasis">REMOVED</em> as of  PHP 8.0.0,
         use <strong><code>FILTER_SANITIZE_ADD_SLASHES</code></strong> instead.)
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_ADD_SLASHES</code></strong></td>
        <td>&quot;add_slashes&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>Apply <span class="function"><a href="function.addslashes.html" class="function">addslashes()</a></span>. (Available as of PHP 7.3.0)</td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_NUMBER_FLOAT</code></strong></td>
        <td>&quot;number_float&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_ALLOW_FRACTION</code></strong>,
         <strong><code>FILTER_FLAG_ALLOW_THOUSAND</code></strong>,
         <strong><code>FILTER_FLAG_ALLOW_SCIENTIFIC</code></strong>
        </td>
        <td>
         Remove all characters except digits, <code class="literal">+-</code> and
         optionally <code class="literal">.,eE</code>.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_NUMBER_INT</code></strong></td>
        <td>&quot;number_int&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>
         Remove all characters except digits, plus and minus sign.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_SPECIAL_CHARS</code></strong></td>
        <td>&quot;special_chars&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_STRIP_LOW</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_BACKTICK</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_HIGH</code></strong>
        </td>
        <td>
         HTML-encode <code class="literal">&#039;&quot;&lt;&gt;&amp;</code> and characters with
         ASCII value less than 32, optionally strip or encode other special
         characters.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_FULL_SPECIAL_CHARS</code></strong></td>
        <td>&quot;full_special_chars&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_NO_ENCODE_QUOTES</code></strong>,
        </td>
        <td>
         Equivalent to calling <span class="function"><a href="function.htmlspecialchars.html" class="function">htmlspecialchars()</a></span> with <strong><code>ENT_QUOTES</code></strong> set. Encoding quotes can
         be disabled by setting <strong><code>FILTER_FLAG_NO_ENCODE_QUOTES</code></strong>. Like <span class="function"><a href="function.htmlspecialchars.html" class="function">htmlspecialchars()</a></span>, this
         filter is aware of the <a href="ini.core.html#ini.default-charset" class="link">default_charset</a> and if a sequence of bytes is detected that
         makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
         When using this filter as a default filter, see the warning below about setting the default flags to 0.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_STRING</code></strong></td>
        <td>&quot;string&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_NO_ENCODE_QUOTES</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_LOW</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_BACKTICK</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_LOW</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_AMP</code></strong>
        </td>
        <td>
         Strip tags and HTML-encode double and single quotes, optionally strip
         or encode special characters. Encoding quotes can be
         disabled by setting <strong><code>FILTER_FLAG_NO_ENCODE_QUOTES</code></strong>.
         (<em class="emphasis">Deprecated</em> as of PHP 8.1.0,
         use <span class="function"><a href="function.htmlspecialchars.html" class="function">htmlspecialchars()</a></span> instead.)
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_STRIPPED</code></strong></td>
        <td>&quot;stripped&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>
         Alias of &quot;string&quot; filter.
         (<em class="emphasis">Deprecated</em> as of PHP 8.1.0,
         use <span class="function"><a href="function.htmlspecialchars.html" class="function">htmlspecialchars()</a></span> instead.)
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_SANITIZE_URL</code></strong></td>
        <td>&quot;url&quot;</td>
        <td class="empty">&nbsp;</td>
        <td>
         Remove all characters except letters, digits and
         <code class="literal">$-_.+!*&#039;(),{}|\\^~[]`&lt;&gt;#%&quot;;/?:@&amp;=</code>.
        </td>
       </tr>

       <tr>
        <td><strong><code>FILTER_UNSAFE_RAW</code></strong></td>
        <td>&quot;unsafe_raw&quot;</td>
        <td>
         <strong><code>FILTER_FLAG_STRIP_LOW</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_STRIP_BACKTICK</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_LOW</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_HIGH</code></strong>,
         <strong><code>FILTER_FLAG_ENCODE_AMP</code></strong>
        </td>
        <td>
         Do nothing, optionally strip or encode special characters. This
         filter is also aliased to <strong><code>FILTER_DEFAULT</code></strong>.
        </td>
       </tr>

      </tbody>
     
    </table>

   </p>
   <div class="warning"><strong class="warning">警告</strong>
     <p class="para">
       When using one of these filters as a default filter either through your ini file
       or through your web server&#039;s configuration, the default flags is set to 
       <strong><code>FILTER_FLAG_NO_ENCODE_QUOTES</code></strong>.  You need to explicitly set
       filter.default_flags to 0 to have quotes encoded by default. Like this:
       <div class="example" id="example-5058">
         <p><strong>示例 #1 Configuring the default filter to act like htmlspecialchars</strong></p>
         <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
filter.default&nbsp;=&nbsp;full_special_chars<br />filter.default_flags&nbsp;=&nbsp;0</span>
</code></div>
         </div>

       </div>
     </p>
   </div>
   
  <div class="simplesect">
   <h3 class="title">更新日志</h3>
   <p class="para">
    <table class="doctable informaltable">
     
      <thead>
       <tr>
        <th>版本</th>
        <th>说明</th>
       </tr>

      </thead>

      <tbody class="tbody">
       <tr>
        <td>8.1.0</td>
        <td>
         <strong><code>FILTER_SANITIZE_STRING</code></strong> and
         <strong><code>FILTER_SANITIZE_STRIPPED</code></strong> have been deprecated.
        </td>
       </tr>

       <tr>
        <td>8.0.0</td>
        <td>
         <strong><code>FILTER_SANITIZE_MAGIC_QUOTES</code></strong> has been removed.
        </td>
       </tr>

       <tr>
        <td>7.3.0</td>
        <td>
         <strong><code>FILTER_SANITIZE_ADD_SLASHES</code></strong> was added as a
         replacement for <strong><code>FILTER_SANITIZE_MAGIC_QUOTES</code></strong>
        </td>
       </tr>

       <tr>
        <td>7.3.0</td>
        <td>
         <strong><code>FILTER_SANITIZE_MAGIC_QUOTES</code></strong> has been deprecated.
        </td>
       </tr>

      </tbody>
     
    </table>

   </p>
  </div>

 </div></div></div></body></html>